MiringValidator v1.2 - Security Updates
SECURITY XML External Entity (XXE) Protection
Enhanced security to prevent XML External Entity attacks by disabling external entity processing in all XML parsers.
Changes Made:
- SAXParserFactory - Added XXE protection in SchemaValidator.java (3 instances)
- TransformerFactory - Added XSLT XXE protection in Utilities.java
Security Features Added:
external-general-entities: false - Blocks external entity references in SAX parsersexternal-parameter-entities: false - Blocks parameter entity references in SAX parserssecure-processing: true - Enables secure XSLT processingaccessExternalDTD: "" - Blocks external DTD access in transformersaccessExternalStylesheet: "" - Blocks external stylesheet access
SECURITY Vulnerable Dependencies Updated
Updated vulnerable third-party libraries to secure versions.
Dependencies Updated:
- org.json - Updated from 20140107 to 20231013
- Fixes: CVE-2022-45688 (CVSS 7.5), CVE-2023-5072 (CVSS 7.5)
SECURITY Path Traversal Protection
Added validation to prevent potential path traversal attacks in test code.
Changes Made:
- UtilsTest.java - Added path validation for classpath resources
- Validates URI contains expected resource path before file access
COMPATIBILITY Java 11+ Support
Added JAXB dependencies to support Java versions 11 and higher.
Dependencies Added:
javax.xml.bind:jaxb-api:2.3.1org.glassfish.jaxb:jaxb-runtime:2.3.1
Impact Assessment
- Functionality: All existing validation features work unchanged
- Performance: No performance impact
- Security: Significantly improved - XXE attacks now blocked
- Compatibility: Now supports Java 8 through Java 17+
What Gets Blocked
- DOCTYPE declarations in uploaded XML
- External entity references (&externalEntity;)
- Parameter entity references
- File system access attempts via XML
- XSLT external entity attacks
- External DTD and stylesheet access in transformers
- Path traversal attempts in file operations
What Still Works
- XSD schema validation
- Schematron rule validation
- All MIRING compliance checking
- HML file processing
- Report generation